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Abstract — A divide-and-conquer cryptanalysis can often be 
mounted against some keystream generators composed of several 
(nonlinear) independent devices combined by a Boolean function. 
In particular, any parity-check relation derived from the periods 
of some constituent sequences usually leads to a distinguishing 
attack whose complexity is determined by the bias of the relation. 
However, estimating this bias is a difficult problem since the 
piling-up lemma cannot be used. Here, we give two exact 
expressions for this bias. Most notably, these expressions lead to a 
new algorithm for computing the bias of a parity-check relation, 
and they also provide some simple formulae for this bias in some 
particular cases which are commonly used in cryptography. 

I. DiVIDE-AND-CONQUER ATTACKS AGAINST SOME 
STREAM CIPHERS 

Parity-check relations are extensively used in cryptanalysis 
for building statistical distinguishers. For instance, they can be 
exploited in divide-and-conquer attacks against some stream 
ciphers which consist of several independent devices whose 
output sequences are combined by a nonlinear function. Here, 
we focus on such keystream generators as depicted on Fig- 
ure [T] All the n constituent devices are updated independently 
from each other. The only assumption which will be used 
in the whole paper is that each sequence Xi = {xi{t))t>o 
generated by the i-th device is periodic with least period T^. 
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Fig. 1. Keystream generator composed of several independent devices 
combined by a Boolean function 



The simplest case of a generator built according to the 
model depicted in Figure[T]is the combination generator, where 
all devices are LFSRs. However, our work is of greater interest 
in the case where the next-state functions of the constituent 
devices are nonlinear. The eSTREAM candidate Achterbahn 
and its variants HI, ||2l, designed by Gammel, Gottfert and 
Kniffler, follow this design principle: all these ciphers are 
actually composed of several nonlinear feedback shift registers 
(NLFSRs) with maximal periods. This design is very attractive 
since the use of independent devices enables to accommodate 
a large internal state with a small hardware footprint. 



However, the main weakness of this design is obviously 
that it is inherently vulnerable to divide-and-conquer attacks. 
As originally pointed out by Siegenthaler i3|], the cryptanalyst 
may actually mount an attack which depends on a small 
subset of the constituent devices only. This can be done if 
there exists a smaller generator which involves k constituent 
devices whose output is correlated to the keystream. This 
equivalently means that there exists a correlation between the 
output of the combining function and the output of a Boolean 
function depending on k variables. The smallest number k of 
devices that have to be considered together in the attack is then 
equal to (t+l) where t is the correlation-immunity order (or 
resiliency order) of the combining function /. Recall that a 
Boolean function is said to be t-th order correlation-immune 
if its output distribution does not change when any t input 
variables are fixed. Moreover, a t-resilient function is a t-th 
order correlation-immune function which is balanced. 

Now, we recall how parity-check relations can be used 
for mounting a divide-and-conquer attack against such a 
keystream generator This technique has been introduced by 
Johansson, Meier and MuUer i4| for cryptanalysing the first 
version of Achterbahn H]. Then, it has been extensively 
exploited in several attacks against the following variants of 
the cipher |j5j, 16), Q, El. By analogy with coding theory, a 
parity-check relation for a binary sequence x = {x{t))t>o is 
a linear relation between some bits of x at different instants 
{t + t) where t varies in a fixed set and t takes any value: 

0a;(i + t) = 0, Vi > 0. 

Then, the indexes r corresponding to the nonzero coefficients 
of the characteristic polynomial of a linear recurring sequence 
provide a parity-check relation. A two-term parity-check rela- 
tion, 

x{t) © x{t + r) = 0, yt> 0, 

obviously corresponds to a period of the sequence. In the 
following, we only focus on parity-check relations between 
2'' instants which are defined as follows. 

Definition 1: Let xi, . . . ,x„ be n sequences and let / be 
a Boolean function of n variables. Then, for any set 

s 

T={Y,c^M„ c, e{0,l}} 



where Mi, . . . , are some non-negative integers, PCf,T is 
the binary sequence defined by 

PCf,T{t) = /(.Ti(t + r), . . . , Xnit + t)), \/t > 0. 

In the following, each Mi corresponds to a multiple of 
the least common multiple of the periods of some constituent 
sequences. Moreover, in order to simplify the notation, we will 
assume without loss of generality that the input variables are 
ordered in such a way that each integer AIi corresponds to a 
multiple of lcm{T(.+i, . . . , T^i^J with ii = and ig+i = k. 
This notably implies that T involves the periods of the first 
k sequences, xi . . . , x^. 

Proposition 2: Let xi , . . . , x„ be n sequences with least 
periods Ti , . . . , T„ and 

s 

T={Y,c^M„ c, e{0,l}} 

1=1 

where Mi = qi\cm{Te^+i, . . . , Te^^J with qi > and = 
and is+i = k. Let g be any Boolean function of k variables 
of the form 

s 

g{xi, ...,Xk) ^^giixi,+i, . . ■,Xi,_^J 

4=1 

where each gi is any Boolean function of {(i+i variables. 
Then, for all i > 0, we have 

PCg,T{t) = 0g(xi(t + T),...,x„(t + r)) = 0. 

In the whole paper, we use the following notation. 
Definition 3: Let / be a Boolean function of n variables. 
Then, the bias of / is 

£:(/) = 2-" j2 i-^y^'"'^- 

This quantity is also called the imbalance of / (e.g. in ||9l, 
ifTOl ) or the correlation between / and the all-zero function 
(e.g. in mi 

The underlying principle of the attack presented by Jo- 
hansson, Meier and Muller [|4J consists in exhibiting a biased 
approximation g of the combining function / which involves 
k input variables, and a parity-check relation PCg^r = for 
the sequence .g(xi, . . . , x^). Then, the associated parity-check 
relation applied to /(xi,...,x„) does not vanish but it is 
biased in the sense that it is not uniformly distributed when the 
(Ti + . . . +r„) bits xi (0), . . . , Xi(Ti - 1), X2i0), ■■■,X2{T2- 
1), . . . , x„(T„ — 1) are randomly chosen. The bias of PCf q-, 
denoted by £{PCf,r) is then defined as the bias of a Boolean 
function with (Ti + . . . + r„) input variables corresponding 
to the concatenation of the first periods of the sequences. It 
follows that 

Pr[PC/,r(t) = 0] = i(l+f(PC/,r)) 

with £{PCf^r) > 0- Then, computing 



where s is the keystream for different values of t > enables 
the attacker to distinguish the keystream from a random 
sequence. The complexity of this distinguishing attack depends 
on the bias e of PCf^r- More precisely, the time complexity 
of the attack corresponds to e~'^2^ where 2* is the number of 
elements in T since the bias e can be detected from at least 
occurrences of the biased relation. The data complexity, 
i.e. the number of consecutive keystream bits required for the 
attack is then the maximal value which must be considered 
for {t + r), i.e. 

+ maxT. 

Many variants of this attack can be derived 15], ||6l, Q, 
JH]. However, determining the complexity of all these attacks 
requires an estimation of the bias of PC/ r- In several at- 
tacks im, Q, ill], it was assumed that the piling-up lemma lfT2l 
holds, i.e. 

£{PCf,T)^m(Bg)f . 

But it clearly appears that this result does not apply since the 
terms f{xi{t + r), . . . , x„{t + t)) for the different values of 
r G T are not independent. Actually, Naya-Plasencia [|6l and 
Hell and Johansson Q have independently pointed out that 
the so-called piling-up approximation ifTOl is far from being 
vaUd in some cases. 

For instance, the 11-variable Boolean function used in 
Achterbahn-80 is 6-resilient. An exhaustive search for the 
initial states of xi and X2 and a decimation by Tj enable the 
attacker to use parity-check relations for /' = f+xi +X2+X7, 
which is 3-resilient. Then, the quadratic approximation 

g = X3X10 + xaXq with £{f' ® g) ~ 

has been considered, corresponding to the set 

T = {C1T3T10 + C2T4T9, ci, C2 G {0, 1}}. 

It has been deduced that the bias of PCf^r was (2~^)'* ~ 
2"^'', leading to an infeasible attack which exceeds the 
keystream length hmitation the data complexity must be 
at least 2"'° and must be multipUed by T7 = 2^^. But, Naya- 
Plasencia in [O used another approximation, namely 

g = x3 + xio + Xi + xo with £{f' ® g) = 2'^. 

This hnear approximation leads to £{PCf^r) = 2^^^ for the 
same set T, and to a feasible attack with an overall data 
complexity close to 2^^ (see JS] for a precise estimation of 
the complexity). 

From this concrete example, it clearly appears that esti- 
mating the bias of PC/.r may be a difficult problem. This 
issue has been raised in ||6l, ifTSI which have identified some 
cases where the piling-up approximation holds. However, since 
these equality cases are quite rare, a much more extensive 
study is needed in order to evaluate the resistance of such 
keystream generators to distinguishing attacks. In this paper, 
we first emphasize that, even if most attacks based on parity- 
check relations use an explicit correspondence between the 
set T and an approximation g of / depending on k variables. 



the bias of PCf^r does not depend on this approximation. 
Most notably, we show in the next section that the piHng- 
up lemma applied to any approximation g compatible with T 
provides a lower bound on £{PCf,T)- Then, Section HIH gives 
two exact expressions for £{PCf^r), one involving the biases 
of some restrictions of /, and the other one by means of its 
Walsh coefficients. These expressions lead to an algorithm for 
computing the bias of a parity-check relation with a much 
lower complexity than the usual approach, and they also 
provide some simple formulae for this bias in some particular 
cases which are commonly used in cryptography, especially 
when / is a plateaued function. 

II. A LOWER BOUND ON THE BIAS OF PARITY-CHECK 
RELATIONS 

However, we can prove that the piling-up approximation 
provides a lower bound on the bias of PC/_r- 

Theorem 4: Let Xi , . . . , x„ be n sequences with least pe- 
riods Ti, . . . ,Tn, f a Boolean function of n variables and 
s = /(xi, . . . ,x„). Let 



r = {^c,M„ c, £{0,1}} 



where Mi = qi\cm{Ti.+i, . . . , T^.^J with qi > 0, = and 
£s+i = k. Then, for any Boolean function g of k variables of 
the form 



4=1 



+ l7 



(1) 



where each gi is a Boolean function of {£i+i — £i) variables, 
we have 

£{PCf^T)>m(Bg)f . 

The keypoint in the previous theorem is that £{f © g) 
provides a lower bound on the bias on the parity-check relation 
for any choice of the approximation g of the form ([T]i. The 
linear approximation of / by the sum of the first k input 
variables is usually considered, but any linear approximation 
involving these variables can be chosen, as stated in the next 
corollary. In the following, for any a £ F2, (fa denotes the 
linear function of n variables: x 1-^ a ■ x, where x ■ y is the 
usual scalar product. 

Corollary 5: With the notation of Theorem |4] we have 

SiPCf.r) > max[£{f(Sip^)f 

where Vk is the subspace spanned by the first k basis vectors. 
It is worth noticing that this corollary leads to a lower bound 
on the bias of the parity check relation even if the functions 
/ and X ^ xi © . . . © Xfc are not correlated {i.e., if the 
Walsh coefficient of / at point Ij. vanishes, where the first 
k coordinates of 1^. are 1 and the other (71 — fc) are zero). This 
is the first known result in such a situation; the impossibility 
of deducing any estimation of the bias of the relation in such 
cases has been stressed in Example 1 in ifTSl . 

However, some other approximations g with a higher degree 
may lead to a better bound. But, since any Boolean function 



is completely determined by its Walsh transform, i.e. by 
the biases of all its linear approximations, it appears that 
£{PCf^T) can be computed from the biases of the linear 
approximations of / only. 

III. Exact formulae for the bias of the 

PARITY-CHECK RELATION 

In some situations, especially when the designer of a gen- 
erator has to guarantee that the system resists distinguishing 
attacks, the previous lower bound on the bias of a parity- 
check relation is not sufficient, and its exact value must 
be computed. However, since a parity-check relation with 
2^ terms involves n2^ variables where n is the number of 
variables of /, computing its bias requires 2"^ evaluations 
of /, which is out of reach in many practical situations. 
For instance, Achterbahn-128 uses a combining function / 
of 13 variables, and the biases of parity-check relations with 
8 terms {i.e. with s = 3) must be estimated; this requires 
2^""' operations. Here, we give two exact expressions of the 
bias of a parity-check relation, which can be computed with 
much fewer operations, e.g. with 2'*^ evaluations of / in the 
previous case. The first expression makes use of the biases 
of the restrictions of / when its first k inputs are fixed; the 
second one, which is related to a theorem due to Nyberg ifTTl . 
is based on the Walsh coefficients of the combining function. 
A similar technique is also used in another context in |[T4l . 

A. Expression by means of the restrictions of f 

Definition 6: Let / be a Boolean function of n variables and 
let Vk and Vn-k be two subspaces such that Vk x Ki-fc = F2 
and dim(Vfe) = k. Then, the restriction of / to the affine 
subspace a + Vn-k, a G Vk, denoted by /a+v„_fc, is the 
Boolean function of (71 — fc) variables defined by 

/a+y„_fc : X G Vn-k f{x + a). 

Now, for computing the exact value of £{PCf^T), we de- 
compose PCf^r according to the values of the first k variables 
in / since the other {n — k) sequences x^, fc + 1 < i < n, are 
supposed to be such that Xi [t + t) is statistically independent 
from Xi{t) for any t £ T. Amongst the fc2* variables Xi{t+T), 
1 < i < k and t £ T, we can easily see that each variable is 
repeated once. Indeed, for j such that ii < j < ti+i we have 
Xj{t -\- t) = Xj{t + t') if and only if |t — t'\ = Mi. 

It follows that the values of Xj(i + T), 1 < j <k and t E T 
are determined by a fc2*~^-bit word a. Let us split a into k 
words (q!i, . . . , ak) of 2*^^ bits. We use the correspondence 
between the values of r = J2i=i ^iMi in T and the integers 
c, < c < 2" - 1 defined by c = E-=iQ2'-i. Then, the 
value of the fc-bit word {xi{t + r), . . . , + r)) is equal to 
x(c, a) = (xi(c, a),..., Xk{c, a)) where, for any j such that 

< j < we have 

Xjic-2\a) if c, 7^0 
aj,2^q+r if c = 2'+i(7 + r, r < 2\ 

Clearly, if Ci ^ 0, we have that c and c' = c — 2* correspond 
to a pair (r, r') with r — t' = Mi. Since Mi is a period of 
Xj, we deduce that Xj(c, a) — Xi(c', ct)- 



Xj(c,a) 



If Ci = 0, the corresponding value of Xj (t+r) is statistically in the previous sum equals 



independent from the previous ones and must be defined by a 
bit of a which has not been used for smaller values of c. The 
number of bits of aj which has been used for previous vectors 
Xj(c', a) for c' < 2'+^q is since the set {0, . . . , 2*+ig- 1} 
is composed of pairs of the form (c', c' + 2*) with = 0. 
Moreover, all c' in {2'+^q, . . . , 2''-+^q + r - 1} satisfy = 



because r < 2*. Therefore, exactly (2*g 
have been used for Xj{c' , Oi), c' < 2^^^q 



r — 1) bits of aj 
r. 



Example. Let us consider a set T composed of 2^ elements 
which involve the periods of 4 sequences; 

T = {C1T1T2 + C2T3 + C3T4, ci,C2,C3 e {0.1}}. 

Then, the 4-bit words x(c, a), < c < 8, are defined by the 
16-bit word a as follows, where the bold elements correspond 
to those which have already been used for a smaller value of c: 



x(0, a) = (aooaioa2oa3o) 
X(l,a) = (Q!ooQ!ioa2ia3i) 
X(2, a) = (aoiaii "200:32) 
X(3, a) = (Q!oiaiiQ;2ia33) 



x(4, a) = (ao2ai2Q22a3o) 
x(5, a) = (ao2ai2a23a3i) 
x(6,q;) = (Q;o3Q;i3Q;22a32) 
x(7, a) = (ao3ai3Q;23a33) 



The definition of x(c, a) enables us to express the bias of 
PCf^T by means of the biases of the restrictions of / to all 
cosets of the subspace Vn-k spanned by the last {n — k) basis 
vectors. 

Theorem 7: Let xi , . . . , x„ be n sequences with least pe- 
riods Ti,...,r„, / a Boolean function of n variables and 
s = /(xi, . . . ,x„). Let 



r = {^c,M,;, c, e {0,1}} 



and 



where Mi = (7Jcm(rf^+i, . . . , T^^^ J with q.i > 0, £1 
£s+i = k. Assume that T does not contain any multiple of 
Tj, for any k < j < n. Let T4_fe be the subspace spanned by 
the last {n — k) basis vectors. Then, we have 



Proof: 



2k2 



q6F, 



Pr[PQ,r(i) = 0] = P4PCf,T{t)^0\ 



{xi{t + T),...,Xk{t + T)) =x{c,a)]. 

When the values of the first k input variables in every term 
of PCf\T are fixed, the piling-up lemma can be applied since 
the remaining {n — k)2'^ variables are statistically independent. 
The reason is that t is not a multiple of the period T,, for any 
k < i < n. Then, we deduce that the term corresponding to a 



J] 8{f{x{t + T),y{t + T))\x{t + t)= x(c, a)) 

2"-! 



c=0 



We then deduce that 



?v[PCf.T{t) = 0] 



9fc2s 



r E 



x(c,Q)+y„_ J 



-1 c=0 



This result provides an algorithm for computing the exact 
value of £{PCf.r)- The precomputation step consists in com- 
puting and storing in a table the 2'^ values of £{fa+v„_k) — 
W Eyey«-fc(-l)^^°^^'' for a G Vfc. This step requires 2" 
evaluations of /. Then, computing the bias of the parity-check 
relation needs to compute, for all a e Fi^'^ , the product of 
2^* precomputed values whose indexes are given by x(c, a), for 
< c < 2^. This requires 2''^ x 2*^ operations over integers. 
This leads to an overall complexity of 2*^^ + 2" which 
is much lower than the complexity of the trivial computation, 
2"2 evaluations of /. For instance, the 13-variable function in 
Achterbahn-128 is 8-resilient. Estimating the bias of a parity- 
check relation involving 10 input variables with 8 terms {i.e. 
with s = 3) then requires 2*^ operations. 

B. Expression by means of the Walsh coefficients of f 

A similar exact expression for the bias of £{PCf^r) can be 
obtained from the Walsh coefficients of /, i.e. from all biases 
£{f + If a), a <E Vk where Vk is the subspace spanned by the 
first k basis vectors. 

Theorem 8: Let xi , . . . , x,i be n sequences with least pe- 
riods Ti,...,Tn, f a Boolean function of n variables and 
s = /(xi, . . . ,x„). Let 

S 

T^{Y,c^M,, c, e{0,l}} 

1=1 

where Mi = qi\cm{Ti.+i, . . . , Tg.j^^) with qi > 0, ^'i = and 
£s+i = k. Assume that T does not contain any multiple of 
Tj, for any k < j < n. Then, we have 

2^-1 

^{PCf.T)^ E n ^(/ + ^X(C,C.))- 



This expression leads to an algorithm for computing the bias 
which is very similar to the one based on the biases of the 
restrictions of /. But, we need to precompute and to store the 
Walsh coefficients of / corresponding to all elements in Vk- 



IV. Computing the bias in some particular cases 

As a direct corollary of Theorem [8] we obtain the following 
theorem. It shows that equality holds in Corollary |5] when, 
amongst all linear functions depending on the k variables 
involved in T, a single one corresponds to a biased approxi- 
mation of /. With this theorem, we recover the value of the 
bias of a parity-check relation involving the periods of k input 
sequences when the resiliency order of / is equal to {k — 1). 
This particular case of our theorem corresponds to the case 
identified in ID, ifTSl where the piling-up approximation holds. 

Theorem 9: With the notation of Theorem |8] suppose that 
there exists a single linear function with a G Vj. such that 
£{f + if a) 7^ 0. Then, we have 

£{PCf^T) = [£{f + fa)f . 

In particular, if / is {k — l)-resilient, then 

£{PCf,r) = [£{f + ^u)f. 

where 1^ is the 7i-bit word whose first k coordinates are equal 
to 1 and the other ones are equal to 0. 

For a t-resilient function, the bias of a parity-check relation 
involving any (t + 1) inputs is given by Theorem |9] but, as 
pointed out in |fT3l . this result does not hold anymore when T 
involves [t + 2) sequences. However, this case can be treated 
when the function / is plateaued ifTSl . i.e. when all values 
taken by its Walsh transform belong to {0, ±VF} for some 
W . Note that both combining functions in Achterbahn-80 and 
in Achterbahn-128 are plateaued. 

Theorem 10: With the notation and hypotheses of Theo- 
rem [8] suppose that / is (fc — 2)-resilient and plateaued, i.e. 
£{f + ^a) e {0, ±£} for all a G F^. Let 

A={aeVk,£if + fa)^0}- 

Then, 

£{PCf.r)<\Ar'e'\ 

Moreover, equality holds if and only if there exists i, 1 < i < 
s, such that Mi is a period of all sequences for all j in 

UaG^SUpp(lfc ® a). 
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